b'                                                                                  AUDIT REPORT\n                                                                           Issue Date: March 2, 1998\n                                                                           Number: 8-7-H-008-010\n\n\nTo:\t            J. Larry Wilson\n                Chief Financial Officer\n\n                Lawrence E. Barrett\n                Chief Information Officer\n\n\n\n\nFrom:           Peter L. McClintock\n                Assistant Inspector General for Auditing\n\nSubject:        Audit of SBA\xe2\x80\x99s FY 1997 Financial Statements\n\n        Pursuant to the Chief Financial Officers Act of 1990, attached is the Independent Auditor\xe2\x80\x99s Report\n(Attachment 1) issued by Cotton & Company., CPAs. They concluded that the financial statements\npresent fairly, in all material respects, the financial position of SBA as of September 30, 1997, and 1996,\nand the results of operations and changes in net position for the years then ended in accordance with\nFederally prescribed accounting principles.\n\n         The section on SBA\xe2\x80\x99s internal control structure discusses problems related to (1) subsidy\nmodeling and re-estimating process, (2) financial reporting process, and (3) information system controls.\nThe section on compliance with laws and regulations indicates SBA\xe2\x80\x99s financial management system was\nnot in compliance with the requirements referred to in the Federal Financial Management Improvement\nAct of 1996. The report includes a disclaimer on information in the CFO\xe2\x80\x99s annual report which was not\nsubject to audit procedures. The auditors also noted other management and internal control issues that\nwill be communicated in a separate management letter.\n\n          SBA officials agreed with the findings and recommendations and, in some instances, have\ninitiated corrective action. The findings and recommendations are subject to review, management\ndecision, and action by your office in accordance with Standard Operating Procedure 90 15,\nResolution and Follow-Up Procedures on Audit Findings and Recommendations. Please provide us\nyour proposed management decisions on SBA Form 1824, Recommendation Action Sheet, also attached\nwithin 30 days.\n\n      Should you or your staff have any questions, please contact Victor R. Ruiz, Director,\nHeadquarters Operations, on (202) 205-7204.\n\nAttachments\n\x0c                                                                                    Attachment 1\n                                                                                     Page 1 of 12\n\n            COTTON & COMPANY LLP\n                               CERTIFIED PUBLIC ACCOUNTANTS\n\n              333 NORTH FAIRFAX STREET \xe2\x80\xa2 SUITE 401 \xe2\x80\xa2 ALEXANDRIA, VIRGINIA 22314\n\nDAVID L. COTTON, CPA, CFE            MICHAEL W. GILLESPIE, CPA, CFE        ELLEN P. REED, CPA\nCHARLES HAYWARD, CPA, CPE            CATHERINE L. NOCERA, CPA              MATTHEW H. JOHNSON,\nCPA\n\n\n\n\nInspector General\nUnited States Small Business Administration\n\n\n                            INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\n        We have audited the U.S. Small Business Administration\xe2\x80\x99s (SBA) statements of financial\nposition as of September 30, 1997, and 1996, and the related consolidated statements of\noperations and changes in net position (the principal statements) for the years then ended.\n\n       \xe2\x80\xa2\t      For Fiscal Years (FY) 1997 and 1996, the principal statements are\n\n               presented fairly, in all material respects.\n\n\n       \xe2\x80\xa2\t      For FY 1997, we found three reportable internal control findings, which\n               are described below in the section titled SBA\xe2\x80\x99s Internal Controls; two are\n               material weaknesses.\n\n       \xe2\x80\xa2\t      For FY 1997, we found no material noncompliance with the selected\n               provisions of applicable laws and regulations tested. We did, however,\n               find that SBA\xe2\x80\x99s financial management systems did not always\n               substantially comply with Federal financial management system\n               requirements.\n\n       These matters and the scope of our work are discussed in more detail under the following\ncaptions:\n\n       \xe2\x80\xa2    Auditors\xe2\x80\x99 Opinion on Principal Statements\n       \xe2\x80\xa2    SBA\xe2\x80\x99s Internal Controls\n       \xe2\x80\xa2    SBA\xe2\x80\x99s Compliance with Laws and Regulations\n       \xe2\x80\xa2    Significant Matters\n       \xe2\x80\xa2    SBA\xe2\x80\x99s Responsibilities\n       \xe2\x80\xa2    Auditors\xe2\x80\x99 Responsibilities\n       \xe2\x80\xa2    Auditors\xe2\x80\x99 Methodology\n       \xe2\x80\xa2    Disclaimer on Other Information\n\n                                                1\n\n\x0c                                                                                        Attachment 1\n\n                                                                                         Page 2 of 12\n\n       \xe2\x80\xa2   Management Comments on Audit Results\n       \xe2\x80\xa2   Report Usage and Distribution\n\nAUDITORS\xe2\x80\x99 OPINION ON PRINCIPAL STATEMENTS\n\n        We have audited the accompanying statements of financial position of SBA as of\nSeptember 30, 1997, and 1996, and the related statements of operations and changes in net\nposition for the years then ended. These financial statements are the responsibility of SBA\xe2\x80\x99s\nmanagement. They were prepared in accordance with Office of Management and Budget (OMB)\nBulletin No. 94-01, Form and Content of Agency Financial Statements, as amended by\napplicable portions of OMB Bulletin No. 97-01, which is another comprehensive basis of\naccounting, as described in Note 1. Our responsibility is to express an opinion on these financial\nstatements based on our audits.\n\n        We conducted our audits in accordance with generally accepted auditing standards;\nGovernment Auditing Standards issued by the Comptroller General of the United States; and\nOMB Bulletin No. 93-06 (as amended), Audit Requirements for Federal Financial Statements.\nThose standards require that we plan and perform our audits to obtain reasonable assurance about\nwhether the financial statements are free of material misstatement. An audit includes examining,\non a test basis, evidence supporting the amounts and disclosures in the financial statements. An\naudit also includes assessing the accounting principles used and significant estimates made by\nmanagement, as well as evaluating the overall financial statement presentation. We believe that\nour audits provide a reasonable basis for our opinion.\n\n       In our opinion, the financial statements referred to above present fairly, in all material\nrespects, the financial position of SBA as of September 30, 1997, and 1996, and the results of\noperations and changes in net position for the years then ended in conformity with the basis of\naccounting described above.\n\n       We conducted our audits to form our opinion on the principal statements taken as a\nwhole. SBA\xe2\x80\x99s Annual Report also includes supplementary schedules that show the activity\ncomprising SBA\xe2\x80\x99s reporting entity. The supplementary schedules are not a required part of the\nprincipal statements.\n\n        The supplementary schedules are presented for purposes of additional analysis rather than\nto present the financial position and results of operations and changes in net position of the\nindividual accounts and funds. These schedules have been subjected to the auditing procedures\napplied in our audit of the principal statements and, in our opinion, are fairly stated in all material\nrespects in relation to the principal statements taken as a whole.\n\nSBA\xe2\x80\x99S INTERNAL CONTROLS\n\n        In planning and performing our audit of SBA\xe2\x80\x99s financial statements for the years ended\nSeptember 30, 1997, and 1996, we considered SBA\xe2\x80\x99s internal controls to determine our auditing\nprocedures for the purpose of expressing our opinion on the financial statements and not to\nprovide assurance on internal controls. We obtained an understanding of the design of\nsignificant internal control policies and procedures; determined if they had been placed in\n\n                                                  2\n\n\x0c                                                                                       Attachment 1\n                                                                                        Page 3 of 12\noperation; assessed control risk for significant cycles, transaction classes, and account balances;\nand performed tests of internal controls.\n        SBA management is responsible for establishing and maintaining systems of internal\ncontrols. In fulfilling this responsibility, estimates and judgments by management are required to\nassess the expected benefits and related costs of internal control policies and procedures. The\nobjectives of internal controls are to provide management with reasonable, but not absolute,\nassurance that:\n\n1. \t   Transactions are properly recorded and accounted for to permit the preparation of reliable\n       financial statements and to maintain accountability over assets.\n\n2. \t   Fund, property, and other assets are safeguarded against loss from unauthorized use or\n       disposition.\n\n3. \t   Transactions are executed in compliance with applicable laws and regulations.\n\n         Because of inherent limitations in internal controls, errors or irregularities may occur and\nnot be detected. Also, projection of any evaluation of internal controls to future periods is\nsubject to the risk that procedures may become inadequate as the result of changes in conditions\nor that the effectiveness of the design and operation of policies and procedures may deteriorate.\n\n        We noted certain matters involving internal controls and their operation that we consider\nto be reportable conditions under standards established by the American Institute of Certified\nPublic Accountants and OMB Bulletin No. 93-06, as amended. Reportable conditions involve\nmatters coming to our attention relating to significant deficiencies in the design or operation of\ninternal controls that, in our judgment, could adversely affect SBA\xe2\x80\x99s ability to record, process,\nsummarize, and report financial data consistent with the assertions of management in the\nfinancial statements.\n\n        The reportable conditions and our recommendations appear below. The computer\nsecurity portion of reportable condition No. 3 was also cited in the independent auditors\xe2\x80\x99 report\non the internal control structure dated February 14, 1997, which is the report of Cotton &\nCompany\xe2\x80\x99s audit of SBA\xe2\x80\x99s FY 1996 and 1995 principal statements.\n\n        A material weakness is a reportable condition in which the design or operation of one or\nmore of the internal control elements does not reduce to a relatively low level the risk that errors\nor irregularities in amounts that would be material in relation to the principal statements being\naudited may occur and not be detected within a timely period by employees during the normal\ncourse of performing their assigned functions.\n\n        Our consideration of internal controls would not necessarily disclose all matters relating\nto internal controls that might be reportable conditions and, accordingly, would not necessarily\ndisclose all reportable conditions that are also considered material weaknesses as defined above.\nWe consider reportable conditions No. 1 and No. 2 to be material weaknesses.\n\n\n\n\n                                                  3\n\n\x0c                                                                                    Attachment 1\n                                                                                     Page 4 of 12\n       We also noted other matters involving internal controls and their operations that we\nconsider nonreportable conditions. We will communicate these matters to management in a\nseparate letter.\n\n1. \t   Subsidy Modeling and Re-Estimating Processes\n\n        SBA\xe2\x80\x99s internal control functions governing the credit reform subsidy modeling and re-\nestimating processes need improvement. SBA personnel computed subsidy re-estimates in\nJanuary 1998. As part of our audit, we reviewed the re-estimate process and noted substantial\nerrors in the 7(a), 504, and disaster program re-estimate calculations to be included in the FY\n1997 principal statements. For example:\n\n       \xe2\x80\xa2\t      Incorrect data were used in several re-estimate cash flow spreadsheets,\n               including incorrect discount rates.\n\n       \xe2\x80\xa2\t      Incorrect cell references and formulas occurred in several re-estimate\n               spreadsheets.\n\n       \xe2\x80\xa2\t      Data were incorrectly carried forward to cash flow models from\n\n               underlying spreadsheets.\n\n\n       These errors resulted in adjustments to the principal statements in excess of $250 million.\n\n       In addition, we noted that few, if any, controls governed the FY 1997 and FY 1998\nbudget execution subsidy processes that took place in FY 1995 and FY 1996, respectively. For\ninstance, SBA did not retain the computerized cash flow models for the FYs 1992 through 1997\nbudget execution rates. The budget execution models are an integral part of performing re-\nestimates and should be retained as a matter of routine recordkeeping.\n\n       The conditions noted above resulted from the lack of adequate internal controls over the\nsubsidy process, coupled by severe time constraints imposed on relatively new staff who had not\npreviously completed a re-estimate cycle. Responsibility for accumulating and analyzing data,\ndesigning credit subsidy models, and calculating budget estimates and program re-estimates lies\nwith the Office of the Chief Financial Officer (OCFO). To date, OCFO does not have\ndocumented policies and procedures to govern its credit subsidy process as required by the\nGeneral Accounting Office\xe2\x80\x99s (GAO) Standards for Internal Controls in the Federal Government.\nSuch documentation should identify:\n\n       \xe2\x80\xa2\t      Internal control objectives.\n\n       \xe2\x80\xa2\t      Techniques for assuring that objectives will be achieved, including clear\n               designations of duties and responsibilities, record retention policies, and\n               documentation requirements.\n\n       \xe2\x80\xa2\t      Each major transaction and event affecting the credit subsidy processes.\n\n\n\n                                                 4\n\n\x0c                                                                                      Attachment 1\n\n                                                                                       Page 5 of 12\n\n       \xe2\x80\xa2\t      The transaction flow from source document to final classification in\n               financial reports.\n\n        OCFO personnel have expressed a positive attitude toward strengthening the internal\ncontrols over the subsidy process. OCFO personnel advised us of their efforts to improve\ninternal controls on the subsidy rate process. SBA has developed a process for peer, supervisory,\nand contractor reviews of estimates and better audit trails. Because of the timing of the FY 1999\nbudget process, however, it was only partially implemented for FY 1999 estimates and not\nimplemented for re-estimates. A quality review process is essential to ensure that the work of\nassigned staff is adequately supervised, reviewed, and approved, as required by GAO\xe2\x80\x99s\nStandards for Internal Controls In the Federal Government. Such a process would include\nreviewing work products at critical points throughout the process as well as a systematic review\nof the final product to prevent or detect errors in a timely manner. Key duties and responsibilities\nshould be adequately separated to provide for independent second reviews of all key work\nproducts to enhance data accuracy.\n\nRecommendations\n\n       We recommend that the OCFO continue to develop internal controls over both its credit\nsubsidy and re-estimate processes. At a minimum, it should document its policies and\nprocedures and develop a formalized quality review process. In addition, we recommend that\nOCFO ensure that adequate resources and time are available to effectively implement these\ncontrols.\n\n2. \t   Financial Reporting Process\n\n        Improved financial reporting processes are needed at SBA to ensure compliance with the\nGovernment Management Reform Act of 1994 (GMRA), which requires Federal agencies to\nsubmit audited Department-wide financial statements to OMB by March 1. SBA had established\na timetable outlining critical financial information and financial statement completion dates to\nallow for the statements to be audited. SBA did not meet its December 15, 1997, deadline for\nsubmitting draft financial statements. Furthermore, when the draft statements were provided,\nthey contained numerous errors and omissions that were identified by both SBA and the auditors,\nresulting in several iterations of the financial statements and underlying financial information.\n\n       The delay in the financial reporting was caused by several factors:\n\n       \xe2\x80\xa2\t      The agency lacks a comprehensive plan for preparing financial statements,\n               including identification of all requirements.\n\n       \xe2\x80\xa2\t      Fund Balances with Treasury reconciliation adjustments were not\n\n               completed until January 1998.\n\n\n       \xe2\x80\xa2\t      Subsidy rate re-estimates were not completed until January 1998.\n       SBA posted the above adjustments directly to the financial statements, instead of the\ngeneral ledger, to maintain reporting consistency with its FACTS data submitted to Treasury. By\ndoing so, however, the reporting process was complicated because the adjustments were\n                                                 5\n\n\x0c                                                                                  Attachment 1\n                                                                                   Page 6 of 12\nextensive\xe2\x80\x94several hundred million dollars affecting each of the agency\xe2\x80\x99s programs and up to 26\ndifferent accounts in each program. Additionally, the adjustments were done hurriedly and not\nthoroughly reviewed by SBA before submission to us.\n\n        Further, because of the above factors, additional time was needed for auditing and\nreviewing the financial statements to ensure that account balances were properly reported on the\nfinancial statements and footnotes.\n\n        SBA faces a tremendous challenge in FY 1998. SBA\xe2\x80\x99s plan to move its financial\nreporting to the Office of Financial Operations (OFO) in Denver coupled with additional\nrequirements brought on by several new Federal accounting standards increase its need to control\nthis function. Thus, SBA must implement controls to plan and monitor the reporting process and\nensure that staff is adequately trained. Without improvements in its financial reporting\nprocesses, SBA\xe2\x80\x99s ability to submit its FY 1998 consolidated financial statements by March 1,\n1999, is doubtful.\n\nRecommendations\n\n        We recommend that OCFO devote immediate attention to implementing a comprehensive\nplan for financial reporting. The plan should identify, in detail:\n\n       \xe2\x80\xa2\t      Procedures required to acquire documentation and prepare financial\n               statements according to an established timetable.\n\n       \xe2\x80\xa2\t      Individuals who will perform critical functions.\n\n       \xe2\x80\xa2\t      Deadlines needed for each critical phase of the plan (e.g., documentation\n               requests, statement preparation, quality control, and so forth).\n\n       \xe2\x80\xa2\t      A description of how each of the programs will consolidate into a\n\n               consistent, Agency-wide financial statement presentation.\n\n\n      We also recommend that all staff assuming financial reporting responsibilities at OFO in\nDenver obtain technical training on Federal financial accounting and reporting.\n\n3. \t   Information System Controls\n\n        SBA needs to improve information system controls in the areas of (1) entity-wide\nsecurity; (2) access privileges; (3) application development and program changes; (4) service\ncontinuity; (5) data authorization, completeness, and accuracy; and (6) segregation of duties.\n\n\n\n\n                                                6\n\n\x0c                                                                            Attachment 1\n\n                                                                              Page 7 of 12\n\n\xe2\x80\xa2\t   Entity-Wide Security. SBA has not implemented an entity-wide security\n     program for its key information system. The OCIO has developed the\n     framework, but has not performed necessary risk assessments, prepared\n     detailed security plans, identified incompatible duties, and established\n     compensating controls for key systems. OCIO stated that, because of a\n     lack of resources, it has been unable to fully implement its entity-wide\n     security plan. As a result, unauthorized alteration and corruption of data\n     could occur and be undetected. OMB Circulars A-130, Management of\n     Federal Information Resources, and A-123, Internal Control Systems,\n     require agencies to implement comprehensive entity-wide security\n     programs.\n\n\xe2\x80\xa2\t   Access Privileges. Computer programmers had unnecessary privileges\n     that permitted remote access to Loan Accounting System (LAS)\n     production data and programs. This increased the risk that unauthorized\n     activities and transactions could occur without detection. Information\n     systems standards require that programmer access be held to an absolute\n     minimum. During the audit, OCIO reviewed access needs and reduced the\n     access privileges of 25 individuals.\n\n\xe2\x80\xa2\t   Application Development and Program Changes. SBA implemented\n     and is installing software applications without formal certification and in\n     the absence of agency-wide standards for non-mainframe application\n     development. The Surety Bond system was put into production prior to\n     certification, and field offices were developing microcomputer\n     applications without standards to ensure that the systems would (1) meet\n     user needs; (2) provide useful, reliable, and accurate information; and (3)\n     protect agency interests.\n\n\xe2\x80\xa2\t   Service Continuity. SBA does not have service continuity plans in place\n     for all of its systems. OCIO is developing disaster recovery plans to\n     address disruption of all agency systems, but SBA\xe2\x80\x99s contract for Federal\n     Financial System data processing does not address this issue. Should this\n     facility incur a disaster, SBA would suffer significant disruptions to key\n     business activities. OMB Circulars A-130 and A-123 require agencies to\n     take steps necessary to minimize risks that impact their ability to meet\n     critical mission functions.\n\n\xe2\x80\xa2\t   Data Authorization, Completeness, and Accuracy. Quality assurance\n     controls for major applications do not ensure data accuracy, reliability, and\n     completeness. For example, loan disbursement amounts and balances\n     differed among the Data Communication System, Automated Loan\n     Control System, and Loan Accounting System. In addition, data-entry\n     edits did not preclude a $26,500 charge off of accrued interest on an\n     account that did not have accrued interest or a change in loan status to\n     \xe2\x80\x9cPaid-in-Full\xe2\x80\x9d on a loan with an approximate $58,000 outstanding\n     balance. In other instances, nonfinancial borrower-related information\n                                       7\n\n\x0c                                                                                       Attachment 1\n                                                                                        Page 8 of 12\n               was missing or inaccurate. Although our exceptions to this nonfinancial\n               information do not affect the financial statements directly, this missing or\n               inaccurate information weakens SBA\xe2\x80\x99s ability to collect on loans and\n               recover collateral.\n\n       \xe2\x80\xa2\t      Segregation of Duties. Although OCIO has established a policy to\n               prevent field office security officers from having conflicting and\n               incompatible duties in 4 of 17 offices surveyed, the security officer is also\n               a liquidation supervisor. This creates a segregation of duties issue,\n               because the same individual has access both to user passwords and\n               identifications and has access and control over liquidation documents.\n               OCIO and SBA field offices share security responsibility for the LAS.\n\n       The Chief Information Officer agreed that improvements are needed in the agency\xe2\x80\x99s\ninformation systems controls, but stated that his office does not have the necessary resources.\n\nRecommendations\n\n       We recommend that:\n\n1.\t    The Chief Information Officer request that (a) priority attention be given to his request for\n       resources to develop and implement the agency-wide security program and application\n       development standards and (b) interagency agreements and contracts for data processing\n       administered by other program offices be submitted for his review to ensure that security\n       and business continuity issues are addressed.\n\n2.\t    As resources become available, the Chief Information Officer implement the agency-wide\n       security program and application development standards in accordance with OMB\n       Circulars A-123 and A-130.\n\n3.\t    The Chief Information Officer and Chief Financial Officer periodically review\n       programmer access privileges, maintain them at the lowest possible level, and require\n       supervisory review of all emergency program fixes (actual program instructions) within\n       48 hours.\n\n4.\t    The Chief Information Officer develop guidance and requirements for SBA program\n       offices to identify incompatible positions and ensure adequate segregation of duties.\n\nSBA\xe2\x80\x99S COMPLIANCE WITH LAWS AND REGULATIONS\n\n        Compliance with laws and regulations applicable to SBA is the responsibility of SBA\nmanagement. As part of obtaining reasonable assurance about whether SBA\xe2\x80\x99s principal\nstatements are free of material misstatement, we performed tests of SBA\xe2\x80\x99s compliance with\ncertain provisions of applicable laws and regulations. Noncompliance with such provisions\ncould have a direct and material effect on the determination of financial statement amounts. We\nalso tested certain other laws and regulations specified in OMB Bulletin 93-06, as amended,\n\n\n                                                 8\n\n\x0c                                                                                 Attachment 1\n                                                                                  Page 9 of 12\nincluding the requirements referred to in the Federal Financial Management Improvement Act of\n1996 (FFMIA).\n\n       The results of our tests of compliance with the laws and regulations described in the\npreceding paragraph disclosed no instances of noncompliance that would be reportable under\nGovernment Auditing Standards or OMB Bulletin 93-06, as amended, except as described below.\nThe objective of our tests was not, however, to provide an opinion on overall compliance with\nsuch provisions. Accordingly, we do not express such an opinion.\n\n      We noted certain immaterial instances of noncompliance that we will report to SBA\nmanagement in a separate letter.\n\n        Under FFMIA, we are required to report whether the agency\xe2\x80\x99s financial management\nsystems substantially comply with (1) Federal financial management system requirements,\n(2) applicable accounting standards, and (3) the United States Standard General Ledger at the\ntransaction level. To meet this requirement, we performed tests of compliance using the\nimplementation guidance for FFMIA issued by OMB on September 9, 1997.\n\n       The results of our tests disclosed instances, described below, in which SBA\xe2\x80\x99s financial\nmanagement systems did not substantially comply with requirements 1 and 2 in the preceding\nparagraph.\n\nDocumentation of Processing Instructions\n\n        OCFO does not have documented policies and procedures to govern its credit subsidy\nprocess. OMB Circular A-127 (revised), Financial Management Systems, requires agency\nfinancial management systems and processing instructions be clearly documented in hard copy\nor electronically. The condition and recommended actions are contained in this report under the\nsection titled SBA\xe2\x80\x99s Internal Controls. We recommend that management complete corrective\nactions by March 1, 1999.\n\nTimely Financial Information\n\n        OCFO did not provide financial information and draft financial statements to its auditors\non a timely basis. GMRA requires agencies to submit audited financial statements to OMB by\nMarch 1. This condition and our recommended actions are contained in this report under the\nsection titled SBA\xe2\x80\x99s Internal Controls. We recommend that management complete corrective\nactions by March 1, 1999.\n\nEntity-Wide Security\n\n        The OCIO has not implemented an entity-wide security program. OMB Circulars A-127\n(revised) and A-130 require agencies to implement comprehensive entity-wide security\nprograms. This condition and our recommended actions are contained in this report under the\nsection titled SBA\xe2\x80\x99s Internal Controls. We recommend that management complete corrective\nactions by March 1, 2000.\n\n\n                                                9\n\n\x0c                                                                                    Attachment 1\n\n                                                                                    Page 10 of 12\n\nSIGNIFICANT MATTERS\n\n        In this report under the section titled SBA\xe2\x80\x99s Internal Controls, we identified three\nreportable conditions. We compared these conditions with SBA\xe2\x80\x99s 1997 FMFIA report dated\nJanuary 13, 1998, and found that these three conditions were not presented in that report.\nTherefore, we are reporting this conflict between SBA\xe2\x80\x99s most recent FMFIA report and the\nresults of our evaluation of SBA\xe2\x80\x99s internal controls, in accord with OMB Bulletin No. 93-06, as\namended.\n\nSBA\xe2\x80\x99S RESPONSIBLILTIES\n\n       SBA\xe2\x80\x99s management is responsible for:\n\n       \xe2\x80\xa2\t      Preparing the annual principal statements in conformity with the basis of\n               accounting described in Note 1.\n\n       \xe2\x80\xa2\t      Establishing, maintaining, and assessing the internal controls to provide\n               reasonable assurance that the broad control objectives of FMFIA are met.\n\n       \xe2\x80\xa2\t      Complying with applicable laws and regulations.\n\nAUDITORS\xe2\x80\x99 RESPONSIBLITIES\n\n        Our responsibility is to express an opinion on the principal statements based on our\nconsideration of SBA\xe2\x80\x99s internal controls and our audit procedures. We are also responsible for\ntesting compliance with selected provisions of laws and regulations and for performing limited\nprocedures with respect to other information appearing in SBA\xe2\x80\x99s Annual Report.\n\nAUDITORS\xe2\x80\x99 METHODOLOGY\n\n       To fulfill these responsibilities, we:\n\n       \xe2\x80\xa2\t      Examined, on a test basis, evidence supporting the amounts in SBA\xe2\x80\x99s\n               principal statements and related disclosures.\n\n       \xe2\x80\xa2\t      Assessed the accounting principles used and significant estimates made by\n               management in the preparation of the principal statements.\n\n       \xe2\x80\xa2\t      Evaluated the overall presentation of the principal statements.\n\n       \xe2\x80\xa2\t      Obtained an understanding of the internal controls related to safeguarding\n               assets, compliance with laws and regulations including execution of\n               transactions in accordance with budget authority, and financial reporting.\n\n       \xe2\x80\xa2\t      Tested compliance with selected provisions of laws and regulations that, if\n               not complied with, could directly and materially affect the principal\n               statements.\n                                                10\n\n\x0c                                                                                    Attachment 1\n\n                                                                                    Page 11 of 12\n\n\n       \xe2\x80\xa2\t      Tested management processes for evaluating and reporting on internal\n               controls and accounting systems as required by FMFIA by comparing [in\n               accord with OMB Bulletin No. 93-06, as amended, paragraph 6.a(4)]\n               SBA\xe2\x80\x99s most recent FMFIA report with the results of our evaluation of\n               SBA\xe2\x80\x99s internal controls.\n\n       \xe2\x80\xa2\t      Assessed whether the other information in SBA\xe2\x80\x99s Annual Report and the\n               manner of its presentation are materially consistent with the information in\n               the principal statements taken as a whole.\n\nDISCLAIMER ON OTHER INFORMATION\n\n        Our audits were made for the purpose of forming an opinion on the principal statements\ntaken as a whole. The principal statements are contained in SBA\xe2\x80\x99s Annual Report, which also\ncontains sections titled Message From the Administrator, Executive Summary, Agency\nAccomplishments, Message From the Chief Financial Officer, Agency Overview, and SBA\nProgram Description and Analysis. These sections contain a wide range of information presented\nfor purposes of additional analysis. Some of this information is also required by OMB Bulletin\nNo. 94-01.\n\n       The information in these sections is not part of the principal statements and has not been\nsubjected to the auditing procedures applied in the audits of the principal statements.\nAccordingly, we express no opinion on the information in these sections.\n\nMANAGEMENT COMMENTS ON AUDIT RESULTS\n\n       Management followed up with written replies from both OCFO and OCIO dated February\n27, 1998. These replies, reproduced as attachments, are responsive to our findings and indicate\nthat management will provide a detailed corrective action plan addressing each item.\n\n\n\n\n                                                11\n\n\x0c                                                                                    Attachment 1\n\n                                                                                    Page 12 of 12\n\nREPORT USAGE AND DISTRIBUTION\n\n        This report is intended solely for the information and use of SBA\xe2\x80\x99s Inspector General and\nmanagement and should not be used for any other purpose. This restriction is not intended to\nlimit the distribution of this report which, upon acceptance by SBA, is a matter of public record.\n\n\n                                     COTTON & COMPANY, LLP\n\n\n\n\nAlexandria, Virginia\nFebruary 27, 1998\n\n\n\n\n                                                12\n\n\x0c\x0c\x0c                                                        ATTACHMENT 3\n                                  REPORT DISTRIBUTION\n\nRecipient                                                      Copies\n\nAdministrator                                                  1\n\nDeputy Administrator                                           1\n\nAssociate Deputy Administrator for                             1\n Management & Administration\n\nAssociate Administrator for Field Operations                   1\n\nAssociate Administrator                                        1\n Office of Congressional & Legislative Affairs\n\nAssociate Administrator                                        1\n Office of Financial Assistance\n\nChief Information Officer                                      1\n\nChief Financial Officer                                        1\n\nGeneral Counsel                                                2\n\nGeneral Accounting Office                                      2\n\x0c'